Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115016
MIME-Version: 1.0
References: <CAFv4g+GjXqiZkA2fawt7jHDtDAKjB0rv=Lfbcobu7bn8B=wvpw@mail.gmail.com>
 <7b1af9310312e0b1435b93490160e08d@gmail.com>
In-Reply-To: <7b1af9310312e0b1435b93490160e08d@gmail.com>
Date: Tue, 22 Jun 2021 12:30:38 +0200
Message-ID: <CAJmy8YEDhqbRV6_0-QN_t5TCpwOYKihJjLhnhE4mizOtaOq_mQ@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000001bb15e05c5584a8b"
Subject: Re: [PHP-DEV] [RFC] is_trusted - was is_literal
From: divinity76@gmail.com (Hans Henrik Bergan)

--0000000000001bb15e05c5584a8b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

How is one supposed to use this? like

if(!is_trusted($val)){
    $val =3D htmlentities($str, ENT_QUOTES | ENT_HTML401 | ENT_SUBSTITUTE |
ENT_DISALLOWED, 'UTF-8', true);
}
echo "<div>$val</div>";
(...)
if(!is_trusted($val)){
    $val =3D $mysqli->real_escape_string($val);
}
$mysqli->query("INSERT INTO tbl VALUES('$val');");


like that? (my first impression is that this sounds stupid, but i haven't
given it enough thought to be sure)



On Tue, 22 Jun 2021 at 11:48, Lauri Kentt=C3=A4 <lauri.kentta@gmail.com> wr=
ote:

> On 2021-06-21 23:25, Craig Francis wrote:
> >
> > - Integers are now included, which will help adoption:
> >
> > https://wiki.php.net/rfc/is_literal
> >
>
> Thanks for the great improvements!
>
> sprintf seems to have some issues, though.
>
> Currently you're checking the parameter types, not the formats.
> The parameter type matters only when coercing to a string (%s).
> Otherwise sprintf should consider the format, not the parameter.
>
> Example:
> <?php
> function test($s) { var_dump($s, is_trusted($s)); }
> setlocale(LC_ALL, "de_DE.UTF-8");
> test(sprintf("SET c =3D %c, f =3D %f, e =3D %e", 0x27, 1234, 1234));
> test(sprintf("SET d =3D %d, x =3D %x, b =3D %b", 1e2, 1e2, 1e2));
> test(sprintf("SET weird_d =3D %''*d", 4, 1));
> test(sprintf("SET s =3D '%s', int to string should be ok", 123));
> ?>
>
> Currently:
> string(43) "SET c =3D ', f =3D 1234,000000, e =3D 1.234000e+3"
> bool(true)
> string(32) "SET d =3D 100, x =3D 64, b =3D 1100100"
> bool(false)
> string(18) "SET weird_d =3D '''1"
> bool(true)
> string(41) "SET s =3D '123', int to string should be ok"
> bool(true)
>
> Obviously the results with ints and floats should be the opposite.
>
> If you really want to allow %c, so be it, but I'd disallow it on the
> grounds that (1) it's probably not used in secure strings (usage data,
> anyone?), and thus (2) it could easily be a misspelled %d (for example,
> '%c' instead of '%d' could silently produce an empty result in a query),
> and (3) you're allowing a simple workaround with %s and chr() which
> makes the intent more obvious.
>
> In general, as this is supposed to be a security feature, allowing
> multiple ways for uninformed people to produce "trusted" but actually
> very unsafe values doesn't look like a good idea. I'm not sure if
> allowing trusted single characters to be created through chr or %c
> serves any useful purpose, but I can imagine people using either one
> without realizing that they can create any character, including \0 or '
> or " or non-UTF-8. Better to leave only chr(), one less thing to worry
> about.
>
> Custom padding is a weird edge case, maybe just disallow that too?
>
> As you said yourself, it's not easy to prove anything safe. ;)
>
> --
> Lauri Kentt=C3=A4
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: https://www.php.net/unsub.php
>
>

--0000000000001bb15e05c5584a8b--